From 23e96aeb302f74e01c1b0bd64bcfcff7d63552d0 Mon Sep 17 00:00:00 2001 From: itsKedar <37594766+itsKedar@users.noreply.github.com> Date: Mon, 27 Nov 2023 17:09:11 +0530 Subject: [PATCH] Added details for version parameter (#1297) --- docs/Configuration.md | 73 ++++++++++++++++++++++--------------------- 1 file changed, 37 insertions(+), 36 deletions(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index 1f397150f..181d11483 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -544,42 +544,43 @@ For more details on break build, please refer to [Thresholds and policies](https ### Checkmarx Section -| Config | Default | Required | WebHook | Command Line | Notes | -|------------------------------------|-----------------------|------------------------------|---------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `username` | | Yes | Yes | Yes | Service account for Checkmarx | -| `password` | | Yes | Yes | Yes | Service account password Checkmarx | -| `client-secret` | | Yes | Yes | Yes | OIDC client secret for API login to Checkmarx | -| `scope` | | Yes | Yes | Yes | While using scope value in CLI, it must be provided in double quotes "" otherwise an exception will be thrown. | -| `base-url` | | Yes | Yes | Yes | Base FQDN and port for Checkmarx | -| `multi-tenant` | false | No* | Yes | Yes (Scan only) | If yes, the name space is created or reused, if it has been pre-registered or already created for previous scans) | -| `scan-preset` | Checkmarx Default | No* | Yes | Yes (Scan only) | The default preset used for the triggered scan | -| `configuration` | Default Configuration | No* | Yes | Yes (Scan only) | Checkmarx scan configuration setting | -| `team` | | Yes (not for XML parse mode) | Yes | Yes (Scan only) | Base team in Checkmarx to drive scanning and retrieving of results | -| `scan-timeout` | 120 | No* | Yes | Yes (scan only) | The amount of time (in minutes) that cx-flow will wait for a scan to complete to process the results. The Checkmarx scan remains as is, but no feedback is provided | -| `scan-polling` | 20000 | No | Yes | Yes | The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the scan (i.e Queued, Finished or Failed). | -| `report-timeout` | 300000 | No | Yes | Yes | The amount of time (in milliseconds) for which cx-flow will wait for CxSAST to generate scan report.If report is not generated within 300000(in miliseconds)it will through Timeout exceeded during report generation as error message. | -| `report-polling` | 5000 | No | Yes | Yes | The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the report. | -| `preserve-xml` | false | No* | Yes | Yes | This flag is used to preserve the original XML results retrieved by the Checkmarx scan inside the ScanResults object to be later used by a Custom bug tracker implementation, if required. Currently, **CxXMLIssueTracker** uses this flag | -| `incremental` | false | No* | Yes | Yes | Enables support for incremental scan support when CxFlow is triggering scans. The incremental-num-scans and incremental-threshold values must not be exceeded for the last available full scan criteria. | -| `incremental-num-scans` | 5 | No* | Yes | Yes (scan only) | The maximum number of scans before a full scan is required | -| `project-script` | | No | Yes | Yes | A **groovy** script that can be used for deciding the name of the project to create/use in Checkmarx. This is to allow for any client custom lookups and other integrations. The script is passed a "**request**" object, which is of type **com.checkmarx.flow.dto.ScanRequest**, and must return **String** representing the **team name** to be used. If this script is provided, it is used for all decisions associated with the determining project name | -| `team-script` | | No | Yes | Yes | A **groovy** script that can be used for deciding the team to use in Checkmarx. This is to allow for any client custom lookups and other integrations. The script is passed a "request" object, which is of type **com.checkmarx.flow.dto.ScanRequest**, and must return **String** representing the team path to be used. If this script is provided, it is used for all decisions associated with determining project name. | -| `incremental-threshold` | 7 | No* | Yes | Yes (scan only) | The maximum number of days before a full scan is required | -| `offline` | false | No* | No | Yes (parse only) | Use Table this only when parsing Checkmarx XML, this flag removes the dependency from Checkmarx APIs when parsing results. This skips retrieving the issue description from Checkmarx. | -| `exclude-files` | | No | Yes | Yes | Files to be excluded from Scan | -| `exclude-folders` | | No | Yes | Yes | Folders to be excluded from Scan | -| `custom-state-map` | | No | No | Yes | A map of custom result state identifiers to custom result state names | -| `post-action-postback-id` | | No | Yes | Yes | Sets the SAST project's post-scan action to use the post-scan action with the provided Id defined in SAST.If not provided, the project does not get configured to use a post-scan action. | -| `settings-override` | | No | Yes | Yes | Defaults value false, if set to true the projects settings are re-written/overridden when each SAST scan is invoked from CxFlow | -| `cx-branch` | false | No | Yes | Yes | A flag to enable branching of projects in CxSAST. | -| `scan-queuing` | false | No | Yes | Yes | A flag to enable queuing of scan events. | -| `scan-queuing-timeout` | 720 | No | Yes | Yes | The amount of time (in minutes) for which cx-flow will keep a scan event data in its queue before sending to CxSAST, when all the available concurrent scans in CxSAST are in use. | -| `disable-clubbing` | false | No | Yes | Yes | If set to true, results are not grouped at all.By default, results are grouped only by vulnerability and filename. | -| `email-notifications` | | No | | Yes (Scan only) | A map containing any or all of the following keys: `after-scan`, `before-scan`, `failed-scan`. The vaue of each key is a list of email addresses to which a notification should be sent in the case of the relevant event. | -| `project-branching-check-count` | 3 | No | Yes | Yes (Scan only) | The number of times to check the project branching status after a project has been branched. Only relevant for versions of CxSAST that support the querying of the branching status (API version 4 and higher). | -| `project-branching-check-interval` | 5 | No | Yes | Yes (Scan only) | The interval between checks of the project branching status. For versions of CxSAST that do not support querying the project branching status, execution will pause once for the specified duration. | -| `restrict-results-to-branch` | false | No | Yes | Yes (Scan only) | If set to `true`, when scanning a branched project, only results detected on the branch are reported. As the OData API is needed for this functionality, the CxSAST user used must be a assigned a role with the “API” permission. Also, the `client-id` property should be set to “resource_owner_sast_client” and the `scope` property should be set to “sast_api”. | -| `forcescan` | false | No | Yes | Yes (--forcescan) | Specifies whether the code should be scanned regardless of unchanged code | +| Config | Default | Required | WebHook | Command Line | Notes | +|------------------------------------|-----------------------|-------------------------------------|---------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `username` | | Yes | Yes | Yes | Service account for Checkmarx | +| `password` | | Yes | Yes | Yes | Service account password Checkmarx | +| `client-secret` | | Yes | Yes | Yes | OIDC client secret for API login to Checkmarx | +| `scope` | | Yes | Yes | Yes | While using scope value in CLI, it must be provided in double quotes "" otherwise an exception will be thrown. | +| `base-url` | | Yes | Yes | Yes | Base FQDN and port for Checkmarx | +| `multi-tenant` | false | No* | Yes | Yes (Scan only) | If yes, the name space is created or reused, if it has been pre-registered or already created for previous scans) | +| `version` | | Yes (if Using CxSAST 9.0 or higher) | Yes | Yes | Required for CxSAST version 9.0 and higher | +| `scan-preset` | Checkmarx Default | No* | Yes | Yes (Scan only) | The default preset used for the triggered scan | +| `configuration` | Default Configuration | No* | Yes | Yes (Scan only) | Checkmarx scan configuration setting | +| `team` | | Yes (not for XML parse mode) | Yes | Yes (Scan only) | Base team in Checkmarx to drive scanning and retrieving of results | +| `scan-timeout` | 120 | No* | Yes | Yes (scan only) | The amount of time (in minutes) that cx-flow will wait for a scan to complete to process the results. The Checkmarx scan remains as is, but no feedback is provided | +| `scan-polling` | 20000 | No | Yes | Yes | The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the scan (i.e Queued, Finished or Failed). | +| `report-timeout` | 300000 | No | Yes | Yes | The amount of time (in milliseconds) for which cx-flow will wait for CxSAST to generate scan report.If report is not generated within 300000(in miliseconds)it will through Timeout exceeded during report generation as error message. | +| `report-polling` | 5000 | No | Yes | Yes | The amount of time (in milliseconds) in which cx-flow pings CxSAST server to get the status of the report. | +| `preserve-xml` | false | No* | Yes | Yes | This flag is used to preserve the original XML results retrieved by the Checkmarx scan inside the ScanResults object to be later used by a Custom bug tracker implementation, if required. Currently, **CxXMLIssueTracker** uses this flag | +| `incremental` | false | No* | Yes | Yes | Enables support for incremental scan support when CxFlow is triggering scans. The incremental-num-scans and incremental-threshold values must not be exceeded for the last available full scan criteria. | +| `incremental-num-scans` | 5 | No* | Yes | Yes (scan only) | The maximum number of scans before a full scan is required | +| `project-script` | | No | Yes | Yes | A **groovy** script that can be used for deciding the name of the project to create/use in Checkmarx. This is to allow for any client custom lookups and other integrations. The script is passed a "**request**" object, which is of type **com.checkmarx.flow.dto.ScanRequest**, and must return **String** representing the **team name** to be used. If this script is provided, it is used for all decisions associated with the determining project name | +| `team-script` | | No | Yes | Yes | A **groovy** script that can be used for deciding the team to use in Checkmarx. This is to allow for any client custom lookups and other integrations. The script is passed a "request" object, which is of type **com.checkmarx.flow.dto.ScanRequest**, and must return **String** representing the team path to be used. If this script is provided, it is used for all decisions associated with determining project name. | +| `incremental-threshold` | 7 | No* | Yes | Yes (scan only) | The maximum number of days before a full scan is required | +| `offline` | false | No* | No | Yes (parse only) | Use Table this only when parsing Checkmarx XML, this flag removes the dependency from Checkmarx APIs when parsing results. This skips retrieving the issue description from Checkmarx. | +| `exclude-files` | | No | Yes | Yes | Files to be excluded from Scan | +| `exclude-folders` | | No | Yes | Yes | Folders to be excluded from Scan | +| `custom-state-map` | | No | No | Yes | A map of custom result state identifiers to custom result state names | +| `post-action-postback-id` | | No | Yes | Yes | Sets the SAST project's post-scan action to use the post-scan action with the provided Id defined in SAST.If not provided, the project does not get configured to use a post-scan action. | +| `settings-override` | | No | Yes | Yes | Defaults value false, if set to true the projects settings are re-written/overridden when each SAST scan is invoked from CxFlow | +| `cx-branch` | false | No | Yes | Yes | A flag to enable branching of projects in CxSAST. | +| `scan-queuing` | false | No | Yes | Yes | A flag to enable queuing of scan events. | +| `scan-queuing-timeout` | 720 | No | Yes | Yes | The amount of time (in minutes) for which cx-flow will keep a scan event data in its queue before sending to CxSAST, when all the available concurrent scans in CxSAST are in use. | +| `disable-clubbing` | false | No | Yes | Yes | If set to true, results are not grouped at all.By default, results are grouped only by vulnerability and filename. | +| `email-notifications` | | No | | Yes (Scan only) | A map containing any or all of the following keys: `after-scan`, `before-scan`, `failed-scan`. The vaue of each key is a list of email addresses to which a notification should be sent in the case of the relevant event. | +| `project-branching-check-count` | 3 | No | Yes | Yes (Scan only) | The number of times to check the project branching status after a project has been branched. Only relevant for versions of CxSAST that support the querying of the branching status (API version 4 and higher). | +| `project-branching-check-interval` | 5 | No | Yes | Yes (Scan only) | The interval between checks of the project branching status. For versions of CxSAST that do not support querying the project branching status, execution will pause once for the specified duration. | +| `restrict-results-to-branch` | false | No | Yes | Yes (Scan only) | If set to `true`, when scanning a branched project, only results detected on the branch are reported. As the OData API is needed for this functionality, the CxSAST user used must be a assigned a role with the “API” permission. Also, the `client-id` property should be set to “resource_owner_sast_client” and the `scope` property should be set to “sast_api”. | +| `forcescan` | false | No | Yes | Yes (--forcescan) | Specifies whether the code should be scanned regardless of unchanged code | No* = Default is applied ### Custom Checkmarx Fields